Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    March 2012
    S M T W T F S
    « Feb   Apr »
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Archive for March 28th, 2012




    After our previous finding involving a targeted attack whose payload were OS-dependent, we encountered a more recent run that leads to a malicious file specifically affecting Mac OSX. The said malware, detected as TROJ_MDROPR.LB, is a Trojan being used in Pro-Tibetan targeted campaigns, as initially described by Alienvault.

    In investigating the campaign, we found that the C&C being used in this particular attack is the same C&C we also saw being used by one of the Gh0stRat payloads in the series of Pro-Tibetan targeted attack campaigns we are seeing recently.

    Here is a snapshot of the email containing the malicious .DOC attachment that dropped a Gh0stRat payload connecting to the said C&C:

    Going back to TROJ_MDROPR.LB, we found details about a particular malicious document used in the campaign:

    One of the routines executed by TROJ_MDROPR.LB is to drop and open a non-malicious .DOC file, in order to trick the user that they’ve opened a normal file.

    This development in targeted attacks just shows that the groups behind campaigns such as this one are taking into consideration changes in the computing landscape, such as the increase in the number of Mac users. This adjustment to affect Macs also shows that they are refining their scope, and are really customizing their tools to suit their targets.

    In this light, and knowing that the MAC OSX arena has seen in its fair share of threats increasing, it is advisable to be aware that MAC OSX can also be targeted, and seen as a new playing field for these groups behind targeted attacks and APTs to further their agenda.

    More on this as we are continuously investigating this. Stay tuned.

    Updates as of  March 29, 2012 12:23 PM (PST)

    The backdoor that is dropped by TROJ_MDROPR.LB is detected by Trend Micro as OSX_KONTROL.EVL.

    Updates as of  March 30, 2012 5:24 AM (PST)

    The other file dropped by TROJ_MDROPR.LB is now detected as OSX_KONTROL.HVN.

     


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice